Like all open source software, the underlying codebase can always be scrutinized by attackers with the will and ability to find exploits. The flip-side of this equation is that popular and active open source software projects like Joomla have been hardened against nearly all of the published exploits and are generally considered quite safe.
Despite this, it is not possible to have a website that is both publicly accessible and 100% secure. Security is a continual process of learning and website hardening that should always be considered a ‘work in progress’.
To help you on your journey of website security with Joomla, we’ve prepared this collection of resources that can be used to keep your Joomla site safe.
Joomla Security Checklist
The Joomla Security Checklist is the perfect place to start when it comes to maintaining a secure Joomla website.
The list includes great advice for choosing a secure web host, managing file permissions, optimal Joomla configuration, what do do if you have been hacked, and more.
Be sure to take some time to read through and understand the basics of each section.
Joomla also provides a number of additional security resources on their general Joomla Security page that are a great way to grow your security knowledge.
Vulnerable Extension List & Security News
Another great list for keeping your site secure is the Vulnerable Extensions List or (VEL). The VEL is a catalog all of the known exploits in 3rd-party Joomla extensions.
Monitoring this list by signing up for email alerts is a great way to be notified when non-core add-ons report an exploit that may affect your sites.
Joomla also maintains an RSS feed for security issues in the Joomla core, though users of Joomla 3.5 and greater will be notified about these when patches are released for their version of Joomla via the Joomla update notification plugin. Nonetheless, we still recommend that you sign up to be notified via email when security issues arise in the Joomla core.
Security patches for end-of-life versions
Joomla 2.5 and 1.5 have reached end-of-life (EOL) status, meaning that they are no longer supported. However, a few critical security issues have arisen for these versions that should be patched until the site can be upgraded to the latest version of Joomla.
To make it easier to apply updates for EOL Joomla versions, below you will find links to security patches that may be installed from the Joomla backend or bulk-installed using the Remote Installer in Watchful.
- Joomla 2.5
- Joomla 1.5
The Joomla Community Magazine
The Joomla Community Magazine can be a great resource for security information and advice. We recommend that you regularly visit out the Administrators Toolkit area for security-related posts such as:
- 10 Minutes to Protect Against Disaster
- How to Strengthen your Administrator Password
- Website Monitoring, Backup, and Two Cups of Coffee
- 10 Arguments That Threaten the Security of Your Website
- Investing in HTTPS is Crucial to Your Joomla Site’s Integrity
But there are numerous small steps you can take that make the pathway to your data just a bit more difficult.
The internet is continually publishing new items on website security and Joomla of course is a common topic. We recommend that you regularly head over to your favorite search engine and search for Joomla security and filter for recent articles. For example, we just found this great Complete 10 Step Guide to Joomla Security.
Trusted security extensions
Joomla has many security softwares listed in the official directory of Joomla software.
We recommend that you review the popular items in this category and see which ones make sense for your particular need.
We recommend choosing a Web Application Firewall such as Akeeba Admin Tools and RSFirewall. You may also try OSE Anti-Virus for Joomla a virus scanning extension that scan Joomla as well as other files on the server, and has the ability to quarantine detected files.
The Official Joomla Security Forums
If you’ve read this far, and followed the links above, you’re well on your way to maintaining a safe and secure Joomla website. But if you still have questions, be sure to pose a question in the security forums at Joomla.org.